Integrate with Salesforce

Access Bring Your Own Key in the Salesforce interface

  1. Log in to the Salesforce interface.

  2. Under Setup > Quick find, enter Platform Encryption and then select Key Management.

  3. Select Bring Your Own Key.

Entrust recommends that you use the Salesforce BYOK Guide when you are carrying the Salesforce operations because they might have been updated after the publication of the User Guide for the Cloud Integration Option Pack. Also use the Salesforce BYOK Guide to ensure that you use the appropriate authentication and that you are communicating with a genuine Salesforce server. See

Download the Salesforce public key certificate

To protect the delivery of the customer-supplied encryption key, Salesforce provide a public key in a certificate to wrap this encryption key.

  1. In the Salesforce interface, select Create Self-signed certificate.

  2. Enter a unique name for your certificate in the Label field.

    The Unique Name field automatically assigns a name based on what you enter in the Label field.

    The Exportable Private Key, Key Size, and Use Platform Encryption settings are pre-set.

    These settings ensure that your self-signed certificate is compatible with the Salesforce Shield Platform Encryption.

  3. Select Download Certificate.

If you want to use a CA-signed certificate, follow the instructions in the Salesforce BYOK Guide at

Use cloud_integration_tool to generate, wrap, and export a key and its hash

Using the downloaded public key certificate, call cloud_integration_tool as follows:

cloud_integration_tool salesforce <key name> <wrapping key> <wrapping algorithm>


key name

The name of the key to export. If the key does not exist, cloud_integration_tool generates it.

wrapping key

The certificate file you downloaded, with the .crt file extension.

wrapping algorithm

The algorithm to use for wrapping.

At the time of writing, Salesforce requires the wrapping algorithm to be RSAES_OAEP_SHA_1.

Running this command creates two files ready for upload:

<key name>-wrapped

The wrapped key file. Salesforce refers to this as the Encrypted Tenant Secret.

<key name>-hash

The hashed key file. Salesforce refers to this as the Hashed Tenant Secret.

Upload the wrapped and hashed key data to Salesforce

On the Bring Your Own Key page of the Salesforce interface, upload the two files under Upload Tenant Secret. After the upload, the key is listed on the Key Management page and is ready for use.

At this point users have now extended trust to Salesforce in terms of use of the key and its destruction.